Posted March 10, 201510 yr Hi guys.Nice to meet you.this app was protected by Shielden+DNGuard.Have a try,If you got it,Describe how to do it,thanks...sorry my poor english,sorry my chinglish ! ((o(^_ ^)o)) ((o(^_ ^)o)) ((o(^_ ^)o)) ((o(^_ ^)o)) UnPackMe.rar Edited March 13, 201510 yr by 381400744
March 11, 201510 yr Author Giveng the people rose,the hand have lingering fragrance. is there nobody?
March 12, 201510 yr Hi 381400744, This application was protected by Shielden and Dnguard! I've already unpacked the fist protector(Shielden),and this application is running now... But the second protector(DNGuard HVM),i don't know how to unpack it! I want someone to do...... UnPackMe_UnPacked1.rar
March 12, 201510 yr Over the unprotected file posted by je9rry:- I've got to jump the .idata section to the .text section,After that reconstruct import table using Universal Fixer.(all ".NET" should be unmarked )- I've got to set the "IL only" flag from .NET Directory.- I've got to fix the entry pointAfter that unpack it using DNGuardHVMUnpacker.
March 12, 201510 yr Unverifiable PE Header/native stub.The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest. Edited March 12, 201510 yr by CodeCracker
March 12, 201510 yr The above error is annoying! The assembly won't start!I could make it work only by decompiling with ildasm.exeand compiling with ilasm!Unpacked file attached! UnPackMe_UnPackedSetup1_unpacked.zip
March 12, 201510 yr @ je9rry now CodeCracker sharing how to unpack DNGuard HVM ,so could you sharing how to unpack Shielden ? i know you are Willing to share happiness with us
March 13, 201510 yr @codecracker good job! - I've got to jump the .idata section to the .text section, cann't understand this step. Please more detail .Thanks!
March 13, 201510 yr Author @CodeCracker you are a super star in China. many people in my country has heard of you! Pretty good, great man and know how to share! I'm your fans! Edited March 13, 201510 yr by 381400744
March 13, 201510 yr Author @Falcon_2015 Unpacking shielden is a simple thing! 1.Dump it in memory! 2.All of sessions the raws overflow,you should repair them! Edited March 13, 201510 yr by 381400744
March 13, 201510 yr @codecracker good job! - I've got to jump the .idata section to the .text section, cann't understand this step. Please more detail .Thanks! You must join the .idata section to the .text section: I've used CFF Explorer: - add to Virtual Size of ".text" section the Virtual Size of ".idata" section - add to Raw Size of ".text" section the Rawl Size of ".idata" section - delete the .idata section - header only - set the Import Directory RVA to a good place so UniversalFixer could fix imports!
March 13, 201510 yr Unverifiable PE Header/native stub. The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest. Could you please share the file that's having this error? I'm interested in finding out what's causing it.
March 13, 201510 yr @Falcon_2015 Unpacking shielden is a simple thing! 1.Dump it in memory! 2.All of sessions the raws overflow,you should repair them! Hi 381400744: Before ,i unpack some Shielden EXE ,but i used same method to Dump and fixed this UnpackMe ,i'm failed , pls give me some guide(did you fix other part with CFF) and do you unstander CodeCracker said Tutorial,if you Understand how to unpack your UnpackMe ,pls sharing , you said :Giveng the people rose,the hand have lingering fragrance Edited March 14, 201510 yr by Falcon_2015
March 13, 201510 yr @kao:The error comes after unpacking with DNGuardHVMUnpacker!File attached! UnPackMe_UnPackedSetup2_fix_unpackedz.zip
March 13, 201510 yr Author @Falcon_2015 please contact me whith QQ International . My QQ number: 381400744 Edited March 13, 201510 yr by 381400744
March 17, 201510 yr @CodeCracker I follow these steps:- add to Virtual Size of ".text" section the Virtual Size of ".idata" section ------- C2000+2000- add to Raw Size of ".text" section the Rawl Size of ".idata" section --------6000+2000- delete the .idata section - header only ------------------do it then save file ,open it .found the import directory is empty .how to deal with it?
March 17, 201510 yr Author @je9rry when you changed the section ! you should to rebuild import directory.......
March 17, 201510 yr @381400744 I get it .thanks! @codecracker but i don't know how to fix the entry point .so the DNGunpacker cann't upack it .error message: two more TLS's IAT . Can you give some advice . Thanks for your reply!UnPackMe_UnPacked_fix.rar Edited March 17, 201510 yr by je9rry
March 17, 201510 yr @jerry mark ilcode box i dont know i dump exe failed to decrypt string Unpacked3.zip
March 17, 201510 yr @codecracker but i don't know how to fix the entry point .so the DNGunpacker cann't upack it . error message: two more TLS's IAT Find a suitable place for entry point (free 00... spaces) The entry point should look like this: FF2500204000 (jmp dword ptr FTs (IAT).
March 17, 201510 yr Thanks works great . @jerry can you share the se unpack tut cause my unpacked string crashes jerry exe unpacked with codecracker tut UnPackMe_UnPacked_fix_fix_unpackedz_Final.zip Edited March 17, 201510 yr by Death
March 17, 201510 yr Solution Finally done as full Here is tutorial how to unpack proper Edited : 1. Dump net from process module [ can use dotnet dumper ] 2. remove .hvmRunt + .rsrc + .HVMRunt Delete ( header and data ) use cff3. Find corExe by cff in string mod and find comfortamble location copy the rva use that on Impordirection RVA [CFF]3. Use universal fixer without mark .net and fix [ For fix the mscoree.dll with corExe place in correct location ]4. Use Cff and copy the virtualize dowrd address from section header[x] .text 5. .Net direction flags value should be 0003 [ilcode mark]6. use Dnguard Unpacker 7. for run use ilasm and ildasm it is all at long last . End of the game .... Attached Unpacked4 Final Tutroial Unpacked4_Tutroial.zip Edited March 17, 201510 yr by Death
Create an account or sign in to comment